The personal information of 57 million Uber users was stolen in 2016, and the company paid hackers $100,000 to conceal it.

The San Francisco-based service didn’t reveal the data breach until Tuesday, which included consumers’ phone numbers, names and email addresses. The license numbers of 600,000 U.S. drivers were also compromised.

Advertisement

Related Content

But it was Uber’s response to the incident that further damaged its already shaky reputation. The ridesharing service failed to alert its customer base of the risk – possibly breaking breach disclosure laws in some of the states where it operates.

“Large enterprises often use new technologies without full understanding of the capabilities, functions, and vulnerabilities that may be introduced into their environments,” Alex Heid, CEO of SecurityScorecard, tells Hearst Television on Wednesday. “We have seen the resulting breaches throughout the last year.”

Criminal data breaches are taking place with increased frequency - it's estimated they'll cost businesses a total of $8 trillion over the next five years. More than six billion personal records were stolen as of August this year, surpassing the total number of records compromised in 2016.

“The practice of paying ransoms to attackers has become normal and standardized in recent years."

Uber likely isn't the first company to attempt to conceal a breach. Last year, 34 percent of US-based companies experienced some type of online security hack. According to a report from Bitdefender, two-thirds of companies surveyed admitted they would pay an average of $124,000 to hide it.

“The practice of paying ransom to attackers has become normal and standardized in recent years,” Heid says. “The rise of ransomware has increased the trend where businesses will pay off attackers - it appears to be a less expensive option than dealing with the loss of data, or potential fallout from a breach.”

Ransomware that hijacks private data or online networks is on the rise, as it can be safer and more profitable than selling illegally-obtained information. In May, a cyberattack dubbed WannaCry crippled hundreds of thousands of computers worldwide and disrupted businesses, schools and medical facilities.

The average cost of a U.S. data breach is currently $7.35 million, according to the Ponemon Institute. The same study revealed that the longer a company takes to disclose the incident, the more expensive it becomes.

“No breach stays secret, even with ransom payments, and the appearance of attempting to cover it up can deal a fatal blow to consumer trust in your brand,” Travis Jarae, founder and CEO of technology firm One World Identity, tells us. “To avoid becoming the next company to issue a press release on why their customer data is now for sale on the dark web, companies should consider deploying an attack-driven defense.”

Cybercriminals accessed Uber’s data through a third-party, cloud-based service. According to Bloomberg, they infiltrated the company’s GitHub account, a site used to store code and organize projects.

“The case with Uber shows that paying a ransom will not help in the long term, as the implications from a major data breach will eventually be addressed,” Heid adds. “In the current era...everyone will eventually succumb to a data breach incident. What determines the wins and losses is the response to such an incident - rapid identification of vectors of attack, rapid mitigation of vectors of attack, rapid identification of unauthorized back doors to the network, and rapid notification to impacted customers and employees."